Developer Tools

Why AWS APIs Return XML - The Evolution from Query APIs to REST JSON

Explore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.

約 6 分で読めます

API Design in 2006 - When XML Was the Standard

When S3 and EC2 launched in 2006, XML was the standard data format in the world of web APIs. SOAP (Simple Object Access Protocol) was the mainstream approach for enterprise web services, and strict type definitions via XML Schema combined with service descriptions via WSDL (Web Services Description Language) were considered "proper" API design. JSON had been proposed by Douglas Crockford in 2001, but as of 2006 it was not yet widely adopted and was evaluated as "lightweight but lacking type safety." AWS's early APIs reflect the design philosophy of this era. The EC2 API uses a format called "Query API," where the action name and parameters are specified in HTTP GET request query parameters, and responses are returned in XML. For example, a request to list EC2 instances looks like https://ec2.amazonaws.com/?Action=DescribeInstances&Version=2016-11-15. The S3 API follows a REST style, using HTTP methods (GET, PUT, DELETE) and paths to operate on resources, but responses are in XML.

The Curse of Backward Compatibility - Why XML Cannot Be Retired

One of AWS's most important design principles is "never retire a published API." The EC2 Query API has been running continuously since 2006 for nearly 20 years, and the XML response format has not changed. Because millions of customers' applications depend on this API, changing the response format to JSON would be a massive breaking change. AWS solves this problem by adopting JSON for new services while maintaining the APIs of older services as-is. Services launched after 2012 (DynamoDB, Lambda, API Gateway, etc.) almost universally use JSON-based REST APIs. DynamoDB's API uses JSON request/response with a Content-Type of application/x-amz-json-1.0. Lambda's API is also JSON-based. Meanwhile, early services like EC2, S3, SQS, and SNS still return XML responses. AWS SDKs absorb this difference internally, so developers using SDKs never need to worry about the distinction between XML and JSON.

Signature V4 - Signing Every Request

Another distinctive feature of AWS APIs is that every request requires a cryptographic signature. The current standard, Signature Version 4 (SigV4), concatenates and hashes the HTTP method, URL, headers, and body of a request, then generates an HMAC-SHA256 signature using the secret access key. This signature is included in the Authorization header and verified on the AWS side. The SigV4 signing process consists of four steps. First, creating the Canonical Request: a normalized string of the HTTP method, URI, query string, and headers. Second, creating the String to Sign: concatenating the date, region, service name, and hash of the canonical request. Third, deriving the signing key: progressively deriving a signing key from the secret access key for each date, region, and service. Fourth, computing the signature: HMAC-SHA256 signing the string to sign with the signing key. Implementing this complex process manually is impractical, and AWS SDKs handle it automatically. When calling AWS APIs with curl without using an SDK, you need to implement this signing process yourself, making debugging extremely difficult.

The Complexity SDKs Abstract Away

AWS SDKs are a massive abstraction layer that hides API complexity from developers. The things SDKs handle internally are extensive: request signing (SigV4), XML/JSON serialization and deserialization, retry logic (with exponential backoff), error handling (distinguishing transient from persistent errors), pagination (automatically fetching large result sets across multiple requests), region endpoint resolution, and automatic refresh of temporary credentials (IAM role AssumeRole). SDK v3 (JavaScript) and boto3 (Python) implement these processes as middleware pipelines, and developers can add custom middleware as well. The SDK's retry logic is particularly important. AWS APIs apply throttling (rate limiting), and sending too many requests in a short period returns 429 (Too Many Requests) errors. SDKs automatically retry with exponential backoff (1 second, 2 seconds, 4 seconds...), eliminating the need for developers to implement retry logic themselves.

API Evolution and Future Direction

AWS API design has evolved significantly over 20 years. From the early Query API + XML, to REST + JSON, and more recently to GraphQL (AppSync) and event-driven (EventBridge), the API paradigms themselves have diversified. What has remained consistent in AWS API design is the principle that "once an API is published, it doesn't change." EC2 API version 2006-10-01 still works today. New features are added as new API versions, and old versions are never retired. This maintenance of backward compatibility is fundamental to AWS's reliability. Systems that enterprises spent years building won't suddenly stop working due to API changes. On the other hand, this principle also creates technical debt. Design decisions from 20 years ago (XML responses, Query API format) are still maintained today, leading new developers to wonder "why such an old format?" The answer is "for backward compatibility," which is a manifestation of AWS's commitment to prioritizing customer trust. To systematically learn about the history and principles of API design, specialized books (Amazon) can be helpful.

Related Services

Amazon S3A scalable object storage serviceAmazon EC2A compute service that provides virtual servers in the cloud

Related Articles

AWS Backward Compatibility and API Stability - The Trust Built by Never Retiring Published APIsExamine AWS's track record of never retiring published APIs, compare it with Azure's rebranding history and GCP's service discontinuation cases, and explain why API stability matters for enterprises.Origins and Naming Conventions of AWS Service Names - Why S3 Has Three S'sDig into the origins of major service names like S3, EC2, Lambda, and Aurora, exploring the hidden patterns in AWS naming conventions, naming missteps, and the history of rebranding.AWS First-Mover Advantage and Economies of Scale - What 18 Years of Accumulation Since 2006 Really MeansExamine the first-mover advantage AWS has built since creating the public cloud market in 2006, comparing service breadth, API stability, and ecosystem depth against Azure and GCP.

More on This Topic

How AI-DLC Transforms Software Development - A Practical Guide to the Inception, Construction, and Operation PhasesAn overview of the AI-DLC methodology that places AI at the center of the development process. Learn about the three phases of Inception, Construction, and Operation, and how to put them into practice with Kiro and Amazon Q Developer.Hands-On with the AI-DLC Unicorn Gym Workshop - Learning AI-DLC Through Team DevelopmentA complete look at the hands-on workshop where you experience AI-DLC through three days of team development. Learn how to run Mob Elaboration and Mob Construction, and how to leverage open-source workflows.Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.Artifact Repository Management - Building a Secure Package Management Platform with AWS CodeArtifactLearn how to build and operate an artifact repository using AWS CodeArtifact. This guide covers centralizing package management for npm, Maven, PyPI, and more, along with building secure build pipelines through CodeBuild integration.How AWS API Throttling Works - The Token Bucket Algorithm and the Truth Behind 429 ErrorsLearn how AWS API rate limiting is implemented using the token bucket algorithm, understand the concept of burst capacity, explore differences in throttling limits across services, and discover practical strategies to avoid throttling.Why AWS API Endpoints Differ by Region - The Design of Global and Regional ServicesWe explain the design reasons behind the separation of regional endpoints like ec2.us-east-1.amazonaws.com and global endpoints like iam.amazonaws.com, as well as the existence of dual-stack and FIPS endpoints.Browser-Based Shell Environment - Instant CLI Access with AWS CloudShellExplains the browser-based shell environment powered by AWS CloudShell. Covers the CLI environment available instantly from the AWS Management Console, pre-installed development tools, automatic IAM authentication integration, secure file management, and practical tips for improving operational efficiency.IaC with Programming Languages Using AWS CDK - Designing Constructs and StacksLearn about defining infrastructure with TypeScript/Python using CDK, choosing between L1/L2/L3 constructs, and testing techniques.

Similar Articles and Services

How AWS Signature Version 4 (SigV4) Works - The Cryptographic Mechanics of API AuthenticationA cryptographic deep dive into the 4-step SigV4 signing process (canonical request creation, string-to-sign construction, signing key derivation, signature calculation) used for AWS API authentication, plus an overview of SigV4A and presigned URLs.Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container ImagesApply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.AWS SignerA service that signs and verifies code to ensure only trusted code is deployedAmazon API GatewayA fully managed service for creating, publishing, and managing REST APIs, HTTP APIs, and WebSocket APIs, serving as the front door to Lambda and other AWS servicesAmazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.